Network flow analysis
First Claim
1. A method for network flow analysis, comprising:
- receiving sample packets from a stream of packets over a time interval from a network element;
aggregating the sample packets into a subclass of packets;
determining a sample pool size of the stream of packets in the time interval, a number of sample packets received over the time interval, and a number of sample packets aggregated into the subclass of packets;
calculating an effective sampling ratio (ESR) from the sample pool size of the stream of packets in the time interval and the number of sample packets received over the time interval;
comparing the calculated ESR to a [historical ESR]numerical value to determine if the calculated ESR is within a predetermined range of the [historical ESR]numerical value; and
calculating an extrapolated flow for the subclass of sample packets as a function of the calculated ESR and the number of sample packets aggregated into the subclass of packets when the calculated ESR is within the predetermined range of the [historical ESR]numerical value and calculating an extrapolated flow for the subclass of sample packets as a function of the [historical ESR]numerical value and the number of sample packets aggregated into the subclass of packets when the calculated ESR is outside the predetermined range of the [historical ESR]numerical value,wherein the numerical value is calculated as a function of a plurality of historical ESR values.
4 Assignments
0 Petitions
Accused Products
Abstract
In an example network flow analysis, sample packets can be received from a stream of packets over a time interval from a network element. The sample packets can be aggregated into a subclass of packets. A sample pool size of the stream of packets in the time interval, a number of sample packets received over the time interval, and a number of sample packets aggregated into the subclass of packets can be determined. An effective sampling ratio (ESR) from the sample pool size of the stream of packets in the time interval and the number of sample packets received over the time interval can be calculated. An extrapolated flow for the subclass of sample packets can be calculated by multiplying the ESR by the number of sample packets aggregated into the subclass of packets.
8 Citations
15 Claims
-
1. A method for network flow analysis, comprising:
-
receiving sample packets from a stream of packets over a time interval from a network element; aggregating the sample packets into a subclass of packets; determining a sample pool size of the stream of packets in the time interval, a number of sample packets received over the time interval, and a number of sample packets aggregated into the subclass of packets; calculating an effective sampling ratio (ESR) from the sample pool size of the stream of packets in the time interval and the number of sample packets received over the time interval; comparing the calculated ESR to a [historical ESR]numerical value to determine if the calculated ESR is within a predetermined range of the [historical ESR]numerical value; and calculating an extrapolated flow for the subclass of sample packets as a function of the calculated ESR and the number of sample packets aggregated into the subclass of packets when the calculated ESR is within the predetermined range of the [historical ESR]numerical value and calculating an extrapolated flow for the subclass of sample packets as a function of the [historical ESR]numerical value and the number of sample packets aggregated into the subclass of packets when the calculated ESR is outside the predetermined range of the [historical ESR]numerical value, wherein the numerical value is calculated as a function of a plurality of historical ESR values. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer-readable medium storing instructions for network flow analysis executable by a computer to cause the computer to:
-
receive a first set of sample packets from a stream of packets over a time interval from a network element; calculate an effective sampling ratio (ESR) by dividing a sample pool size of the stream of packets in the time interval by a total number of the first set of sample packets received from the stream of packets; calculate an outlier value for the calculated ESR by dividing the difference between a mean of a previously calculated ESR and the calculated ESR by a standard deviation of the previously calculated ESR; determine whether the calculated ESR is an outlier by comparing the outlier value for the calculated ESR to a pre-defined outlier value; determine whether to store the calculated ESR or the previously calculated ESR in an array of ESR values based on the comparison of the outlier value to the pre-defined outlier value; and calculate an extrapolated flow for the first set of sample packets as a function of the stored ESR and the total number of the first set of sample packets. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A system for network flow analysis, the system comprising a processor in communication with a non-transitory computer-readable medium, wherein the computer-readable medium contains a set of instructions and wherein the processor is configured to carry out the set of instructions to:
-
receive sample packets from a stream of packets over a time interval from a network element; aggregate the sample packets into a subclass of packets; calculate an effective sampling ratio (ESR) by dividing a sample pool size of the stream of packets in the time interval by a total number of sample packets received from the stream of packets; determine whether the calculated ESR is an outlier versus a stored array of ESR values by comparing the calculated ESR to at least one of the stored ESR values; and calculate an extrapolated flow for the subclass of packets by multiplying the calculated ESR by the number of sample packets aggregated into the subclass of packets when the calculated ESR is determined to not be an outlier versus the stored array of ESR values and calculate an extrapolated flow for the subclass of sample packets by multiplying the at least one of the stored ESR values and the number of sample packets aggregated into the subclass of packets when the calculated ESR is determined to be an outlier versus the stored array of ESR values. - View Dependent Claims (15)
-
Specification